Skip to main content

Linux Kernel EUVDEUVD-2026-32295

| CVE-2026-45999 HIGH
Integer Underflow (CWE-191)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xqmq-2p4j-99x8
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:35 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

Some crafted images can have illegal (!partial_decoding && m_llen < m_plen) extents, and the LZ4 inplace decompression path can be wrongly hit, but it cannot handle (outpages < inpages) properly: "outpages - inpages" wraps to a large value and the subsequent rq->out[] access reads past the decompressed_pages array.

However, such crafted cases can correctly result in a corruption report in the normal LZ4 non-inplace path.

Let's add an additional check to fix this for backporting.

Reproducible image (base64-encoded gzipped blob):

H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz 2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w ywAAAAAAAADwu14ATsEYtgBQAAA=

$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt $ dd if=/mnt/data of=/dev/null bs=4096 count=1

AnalysisAI

Local denial of service and potential information disclosure in the Linux kernel's EROFS filesystem affects versions from 5.13 through pre-patch releases, where a crafted EROFS image triggers an unsigned integer underflow in z_erofs_lz4_handle_overlap(). When a malicious image is mounted and a file is read, the LZ4 inplace decompression path wraps the 'outpages - inpages' calculation to a huge value and reads past the decompressed_pages array. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but a reproducible proof-of-concept image is embedded in the upstream commit message.

Technical ContextAI

EROFS (Enhanced Read-Only File System) is a Linux kernel filesystem used in Android and embedded contexts that supports LZ4 transparent compression. The bug lives in fs/erofs/decompressor.c within z_erofs_lz4_handle_overlap(), which manages overlap between input (compressed) and output (decompressed) page arrays during inplace decompression. The root cause is an unchecked extent invariant: when an image carries an illegal extent where partial_decoding is false yet m_llen (logical/decompressed length) is smaller than m_plen (physical/compressed length), the unsigned subtraction outpages - inpages underflows to a near-UINT_MAX value, driving an out-of-bounds read of rq->out[]. This is a classic CWE-191 (integer underflow) leading to CWE-125 (out-of-bounds read); the CWE field was not populated in the source feed but the patch description makes the class unambiguous.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.4, 7.1-rc1, or any distribution kernel that has backported the five referenced stable commits at git.kernel.org/stable/c/ (21e161de…, bbbbb3f0…, f1374fa6…, c9ce18e6…, 43a87863…). Where immediate patching is not feasible, restrict the ability to mount untrusted EROFS images: ensure CAP_SYS_ADMIN is not granted to untrusted users, disable any unprivileged auto-mount daemons (udisks, systemd's auto-mount of removable media, Android vold paths) for EROFS, or blacklist the erofs module with 'modprobe -r erofs' and an /etc/modprobe.d/blacklist-erofs.conf entry - note that blacklisting will break any legitimate EROFS volumes on Android-derived systems and some embedded distros. As an interim layered control, mount untrusted images with 'noexec,nosuid,nodev' and inside a user namespace to limit the blast radius of a kernel OOB read.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32295 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy